PT-2026-36653 · Rubygems · Openc3

Published

2026-04-22

·

Updated

2026-04-22

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Summary

OpenC3 COSMOS contains a design flaw in the save tool config() function that allows saving tool configuration files at arbitrary locations inside the shared /plugins directory tree by supplying crafted configuration filenames. Although the implementation sufficiently mitigates standard path traversal attacks, by canonicalizing filename to an absolute path, all plugins share this same root directory. That enables users to create arbitrary file structures and overwrite existing configuration files within the shared /plugins directory.

Details

In function save tool config() ([local mode.rb](https://github.com/OpenC3/cosmos/blob/397abec0d57972881a2e8dc10902d0dce9c27f42/openc3/lib/openc3/utilities/local mode.rb#L452)) responsible for saving user-supplied tool configuration, the desired saving directory is not sufficiently enforced, instead allowing writes inside entire OPENC3 LOCAL MODE PATH.

PoC

  1. Navigate to any tool that enables “Save Configuration” option in left-hand drop-down menu (here Limits Monitor as an example)
  2. Save a new config with path traversal name using “../” sequences to escape desired directory (up to 3 levels high)
  3. Observe new files created in /plugins directory by inspecting docker container directly (openc3-COSMOS-cmd-tlm-api) or using Bucket Explorer (plugin default)
image image

Impact

Modifying the data of other plugins

Exploit

Fix

Relative Path Traversal

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-23

Related Identifiers

GHSA-4JVX-93H3-F45H

Affected Products

Openc3